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Abstract 

A formalism with quantifiers permits two kinds of substitution: syntactic 
substitution that allows the capture of bound variables and semantic substi- 
tution that does not. When quantification is expUcit, all substitution can be 
made semantic. When quantification is implicit, as in some formalisms used 
to reason about programs, both types of substitution are needed. 

Consider the following definitions: 

X = r*cos0 F = 30:x7^tan0 (1) 

What does F equal? It should equal the result of substituting r * cos B for x in 
3 ^ : a; 7^ tan 0. Naive substitution makes F equal to 3 ^ : r*cos 0 7^ tan 0, which 
is how most readers would probably interpret (1). However, naive substitution can 
lead to problems. Naively substituting tan 0 for x in the formula 3 0 : x 7^ tan Q, 
which is vahd for any x, yields the invalid formula 3 0 : tan^ 7^ tan^. Vahdity 
is lost because the free variable 0 is "captured" by the quantifier 30. Logicians 
therefore define substitution so it renames bound variables, when necessary, to 
prevent the capture of variables. Under this kind of substitution, (1) defines F to 
equal 3 ^ : r * cos 0 7^ tan 0. I refer to naive substitution as uniform substitution, 
and I call the logician's definition contextual substitution. 

Substitution in predicate logic is well understood. An easy way to avoid con- 
fusion is to use the following rule: a symbol may not be used as a bound variable 
if it akeady has a meaning. The definition of F in (1) violates this rule because 
B already has a meaning — otherwise, the definition of x would be meaningless. 
Instead of (1), we can write 

x{B) = r*cosB F = 3 6* : x (6*) 7^ tan 6* 

assuming now that B does not already have a meaning. For predicate logic, the rule 
guarantees that uniform and contextual substitution are equivalent. 
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The distinction between uniform and contextual substitution cannot be elim- 
inated so easily in all formalisms. Uniform substitution is defined by letting the 
result of substituting in o(ei, . . . , e„), for any operator o, equal o(ei, . . . , e^), 
where is the result of substituting in e^. Thus by definition, uniform substitution 
distributes over the formalism's operators. If a formalism also has a definition of 
contextual substitution, then the two will be equivalent iff contextual substitution 
distributes over all operators of the formalism. If we consider 3 to be an opera- 
tor, we can say that the two types of substitution differ in predicate logic because 
contextual substitution does not distribute over 3^. The formula ^6 : P need not 
be equivalent to 3 0 : P, where overbar ( ) denotes some specific contextual 
substitution. 

If a formalism for reasoning about programs has a definition of contextual sub- 
stitution, then contextual substitution is likely to differ from uniform substitution. 
In particular, if the formalism has a semicolon ( ; ) operator that corresponds to the 
semicolon of ordinary programming languages, then 5; T need not equal S; T for 
formulas S and T. More precisely, I will show that contextual substitution does 
not distribute over semicolon in a formalism in which x : — x + \; x :=a;-|-lis 
equivalent to x : — x + 2, where x . — ... denotes the formula corresponding to 
the assignment statement. 

What does it mean to substitute an expression like r *cos 0 for x in x := x + l, 
and why should we care? Substitution arises when implementing (or refining) 
one program with another If the specification of a program is that it satisfy a 
postcondition S, then an implementation in which x is refined by r *cos 9 is correct 
iff it satisfies the postcondition S, where the substitution is x r * cosO [1]. If 
5 is a formula that represents a program, then implementing S under a refinement 
means implementing S. 

To see how such substitution is performed, consider a program with two vari- 
ables X and y whose values represent the cartesian coordinates of a point in a plane. 
We can obtain an equivalent program with variables r and 0 whose values repre- 
sent polar coordinates by performing the substitution x <— r* cos 9, y r * sin 0. 
To compute the formula x := x + I obtained from x : = x -|- 1 by this substitution, 
we can write x : = x -I- 1 as the relation (x' = x -I- 1) A (y' — y) between the old 
and new (primed) values of the variables, and substitute to obtain 

(r' * cos 9' = r * cos 9 + I) A (r' * sin 9' — r * sin 9) 

Solving for r' and 9' in terms of r and 9 then allows us to write x := x -|- 1 as a 

multiple assignment of the form r,9 :— (When ^ — 0 and x = — 1, this will 

be a nondeterministic assignment that sets r to 0 and 9 to any value in its range.) 

This particular substitution does distribute over semicolon. It is easy to show 
that the substitution x ^ z, y ^ z does not. However, I will construct a 
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more plausible example for which x : — x-\-\; x :=a; + lis not equivalent to 
X := X + 2. The example is the same as the preceding one, except r and 6 are 
hyperbolic coordinates. The substitution is x >^ r * cosh^, y r* sinh^?, where 
r and 0 are real numbers. Since (cosh^)^ > (sinh^)^ if 6 is real, |x| > |y| for 
all X and y. (HyperboUc coordinates can represent only points whose cartesian 
coordinates satisfy > \y\.) When we compute x : = x + 1, we obtain solutions 
for r' and 0' iff |if + 1| > The formula x := x + I therefore is undefined 
when |x + 1| < \'y\} In particular, x : = x + 1 is undefined if x = —1 and y = I. 
Hence, x : — x + I; x :=x + lis also undefined in this case. However, a similar 
calculation shows that x :— x + 2 is undefined iff |x + 2| < [y], so it is defined 
when X = — 1 and y = 1 . Therefore, x : = x + 1 ; x : = x + 1 is not equiva- 
lent to X := X + 2, so contextual substitution does not distribute over semicolon if 
X :=x-|-l; X :=x-|-lis equivalent to x : = x + 2. 

Contextual substitution does not distribute over semicolon because semicolon 
involves an implicit quantification over the intermediate values of variables, and 
free variables are captured by the implicit quantifiers. Programming logics typ- 
ically have operators with impHcit quantification — for example, the wp (weakest 
precondition) and sp (strongest postcondition) operators — and substitution does 
not distribute over them. 

Substitution arises when proving that one program or system specification im- 
plements another. It does not occur in the standard theories of program correctness 
in which one proves that a program satisfies a property, not that one program im- 
plements another. In reasoning about concurrent systems, one does prove that one 
system specification implements another. As observed in [2, Section 8.3.3], substi- 
tution does not distribute over the Enabled operator of TLA, nor over the weak 
and strong fairness operators WF and SF defined in terms of it. The same problem 
should arise in any method in which liveness properties are specified as fairness 
conditions on actions. Although such fairness conditions are often used in describ- 
ing systems, TLA appears to be the only specification method employing them that 
has been sufficiently well formalized so the problem is evident. 

The rule given above for making contextual and uniform substitution the same 
in predicate logic does not work when the quantifiers are implicit. There does not 
even seem to be any common notation to distinguish the two. In the definitions 



'More precisely, it represents a statement whose execution is undefined when |x -I- 1| < \y\. 
Depending on the formalism, executing a statement when it is undefined might mean that the program 
waits, that execution aborts, or that the program is illegal. 



X = r * cosh 9 
y A r * sinh 6 



Twice(A) = A;A 

B = Twice(x : = x -|- 1) 



(2) 
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does B equal x : — x + \; x : — x + \ or x : — x + \; x : — x + \1 The first 
interpretation, based on uniform substitution, is the more natural one. If we choose 
this interpretation, then we must introduce some additional notation for contextual 
substitution. 

Should substitution be uniform or contextual? The answer is yes. Both types 
of substitution are needed. We want to derive new theorems from existing ones 
by substitution, and we can do this only with contextual substitution. In theory, 
contextual substitution should suffice; in practice it does not. We build a complex 
formula from simple pieces through a sequence of definitions. As (1) and (2) indi- 
cate, it is much easier to see what we are defining when definitions are expanded 
by uniform substitution. If uniform and contextual substitution are not equivalent, 
a practical formalism should provide both. 
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